Security Threats of Pervasive Computing

Remember when we had telephone booths on every street corner?

Now try and remember when the last time was that you saw a telephone booth. More than likely it was quite some time ago unless you live in a rural area. The fact is that cellular technology has driven telephone booths to the verge of extinction in most major population centers of the world. Who needs a phone booth when you can have a cell phone for $19.95 a month?

Now think back to the first time you ever heard of someone having their private telephone conversation hijacked while they were away from home on business or vacation. Not so surprisingly that memory probably corresponds closely to the advent of pervasive telephony - the cell phone. As personal communications devices have become pervasive, communications security and personal privacy have both declined. Not only have we become so accustomed to having a cell phone on our belt or in our purse that we don't give our private conversations a second thought, we have also become less aware of our environment and the existence of external threats to our privacy and security.

One need only sit in the airline lounge of a major airport and listen to the cellular telephone conversations taking place to realize that the secrets of the corporate world are far from secure. However, when that traveling corporate executive connects her cell phone to her notebook computer, the security threat suddenly increases by orders of magnitude.

In 1995, Nicholas Negroponte wrote in Being Digital that what was wired would become wireless and what was wireless would become wired. In examining the current trends in technology, it would appear that Negroponte was correct. Television and radio have both started to move from broadcast to Internet and cable while telephones, computers and even power transmission moves from wired to wireless. As technologies such as Bluetooth (www.bluetooth.com) come into common use, personal wireless technology will become as pervasive as the cell phone.

Wireless home networks, automobiles, personal digital assistants (PDAs) and digital cameras are but the beginning of the wireless world of the 21st century. Having the ability to snap a digital picture and have that picture immediately posted to the Internet via wireless technology will be a boon for journalists and artists. However, it will also be a powerful tool for terrorists and other criminals. Accessibility to anything from anywhere will soon allow an incredible potential for productivity and innovation. Unfortunately, it will also allow for almost endless opportunities for information exploits and attacks on personal and national security.

A recent article in New Scientist (B. Daviss, Write here, write now, December 1, 2001, pp. 38-40) discusses the ability to post messages in thin air using three-dimensional geospatial coordinates linked to an Internet web page. Using this implementation of wireless technology a person could attach a web-based message to any set of geospatial coordinates on Earth. Say, for instance you were driving to work and hit a patch of black ice on the road. You could immediately check the on-board navigation device in your car for the coordinates, pull out your wireless PDA and enter a message for the local traffic hazards web page warning other drivers of the ice patch. Then, as other drivers approached the coordinates of the ice patch, their web-enabled cell phone, wireless PDA or on-board navigation device would signal a warning and display your message. That is the positive side of the technology. On the flip-side, this convergence of technology has an amazing potential as a security threat.

Let's imagine that we are criminals wishing to make a covert exchange of information. I tell you to be on the grassy knoll by the big oak tree at midnight with your wireless PDA. At 11:59 I upload my message to a web page. As you approach the oak tree your PDA detects the geospatial link. You download the information and signal me. At 00:01 I delete the web page. Considering the billions of web pages on the Internet, the short exposure time and the fact that the link to the information is a physical location, our transfer is impersonal and reasonably secure (add encryption for more security). As first glance this example may seem pointless since, in this scenario, I could have emailed the information to you. However, all a security professional need do is contemplate the possibilities to realize the massive unsavory potential of this technology.

To this point I've only touched on a few of the many security hazards associated with pervasive computing. Moreover, I have quite purposely stated the hazards in general terms to keep from educating those who may have criminal intentions. However, let us now take a more detailed look at a simple piece of pervasive computing hardware, the PDA. For most users a PDA is a way to conveniently take your vital business data with you when you leave the office. However, most of us don't stop to think of the vital security precautions we are circumventing by loading our information onto a PDA.

First, we are removing one of the primary obstacles to unauthorized access - the physical security surrounding our offices and networks. Once critical data is on your PDA and you walk out the office door, all those millions of dollars invested in security engineering, alarms, guards and administrative controls are no longer effective. Not only is our data now very susceptible to theft or loss, it is also being used in public where others may shoulder surf or electronically intercept our data. Moreover, having our data available anywhere, anytime, prompts us to break out the cell phone and start doing business in all sorts of places where we would never openly discuss confidential matters if we were not lured to do so by convenient, pervasive technology.

Dave Lang is an adjunct professor at the George Washington University. He is also a certified protection professional and CISSP instructor.